Site-to-Site IPsec VPN Between a FortiGate and a Cisco ASA

In this recipe, we will configure a site-to-site IPsecVPN tunnel between a FortiGate 90D and a Cisco ASA 5505.

Using FortiOS 5.2 and Cisco ASDM 7.1, the example demonstrates how to configure the tunnel on each site, assuming that both devices are configured with appropriate internal (inside) and external (outside) interfaces.

Note that this example uses the default encryption and authentication (SA proposal) settings of the Cisco ASDM IPsec VPN wizard. These are not necessarily the recommended settings.

We will use the wizards to configure each end of the tunnel as it is much quicker. However, some customization will be required on the FortiGate to ensure that its SA proposal matches the Cisco ASA for each Phase. One of the most common reasons that tunnels between FortiGates and third-party products don’t work is because of mismatched settings.

1. Configuring the Cisco ASA using the IPsec VPN Wizard

In the Cisco ASDM, under the Wizard menu, select IPsec VPN Wizard.

Select Site-to-site, with VPN Tunnel Interface set to outside, and click Next.

In the Peer IP Address field, enter the IP address of the FortiGate unit.

Under Authentication Method, enter a secure Pre-Shared Key. You will use the same key when configuring the FortiGate.

Configure Phase 1 with 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 2.

Configure Phase 2 with 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 1.

5. Troubleshooting

IPsec VPN troubleshooting tips

Configuration problem

Correction

Mode settings do not match.

Select complementary mode settings.

Peer ID or certificate name of the remote peer or dialup client is not recognized by FortiGate VPN server.

Check Phase 1 configuration. Depending on the Remote Gateway and Authentication Method settings, you have a choice of options to authenticate FortiGate dialup clients or VPN peers by ID or certificate name.

This site uses cookies. Some are essential to the operation of the site; others help us improve the user experience. By continuing to use the site, you consent to the use of these cookies.AcceptPrivacy policy